Change Healthcare says ‘Blackcat’ cybercriminal group behind disruptive hack
In its latest update on the ongoing cybersecurity incident at Change Healthcare, the health care tech company confirmed that the attack was perpetrated by a cybercrime group called BlackCat or ALPHV.
“Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants,” Change Healthcare told CNBC. “We are actively working to understand the impact to members, patients and customers.”
Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to the U.S. Department of Justice. Blackcat has compromised computer networks worldwide and caused hundreds of millions of dollars in losses, it said.
In a since-deleted post on the dark web, Blackcat claimed it was behind the attack on Change Healthcare’s systems. The group said it managed to extract six terabytes of data, including medical records, insurance records and payment information.
Brett Callow, a threat analyst at the cybersecurity company Emsisoft, said ransomware groups often make posts such as these in an effort to bring victims to the negotiating table. He said ransomware groups often exaggerate the amount of data they’ve stolen, so Blackcat’s claims should be treated with skepticism. It can take weeks for an organization to determine exactly what information was stolen, and ransomware groups often use the period of uncertainty to their advantage. “Cybercriminals, they’re not going to tell the truth,” Callow told CNBC.
Change’s parent company, UnitedHealth Group, said it discovered that a cyber threat actor breached part of the unit’s information technology network on February 21, according to a filing with the Securities and Exchange Commission. The company isolated and disconnected the affected systems “immediately upon detection” of the threat, the filing said, but it didn’t disclose the nature of the attack or exactly when it took place.
The company said in its filing with the SEC that it suspected a nation state-associated actor was behind the attack, but Callow said Blackcat is a for-profit cybercrime operation. He called the discrepancy “peculiar,” but said there might be more to the breach that he doesn’t know about.
Related: Hacking at UnitedHealth’s Change Healthcare is still crippling the U.S. health system
The FBI, HHS and the Cybersecurity and Infrastructure Security Agency issued an updated joint advisory to the health-care industry highlighting warning signs that they may have been compromised by a Blackcat ransomware actor and actions to take to mitigate ransomware attacks. The advisory said health-care is one of the most commonly targeted business sectors.